无法OpenSSL验证SSL证书 [英] Unable to openssl verify SSL certificate
问题描述
我想做什么:
使用openssl -connect与远程站点建立干净的连接.
What I want to do:
Get a clean connection with openssl -connect to a remote site.
网站似乎是自签名的.
What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)
我尝试过的事情:
echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem
sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/
我也尝试过
openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem
具有
ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate
我更改了CN/主机名以保护自己.但是,如果有帮助,主机名也会添加到我的主机文件中.
I have changed the CN/Hostname to guard myself. But the hostname is also added to my hosts file, in case it helps.
经审查的PEM文件
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
64:c7:48:64:00:00:00:00:00:d0
Signature Algorithm: sha1WithRSAEncryption
Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
Validity
Not Before: Mar 7 22:41:45 2015 GMT
Not After : Mar 6 22:41:45 2016 GMT
Subject: CN=DC01.home.pri
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
<CENSORED>
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.20.2:
. .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
S/MIME Capabilities:
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:DC01.home.pri
X509v3 Subject Key Identifier:
<CENSORED>
X509v3 Authority Key Identifier:
keyid:<CENSORED>
X509v3 CRL Distribution Points:
Full Name:
URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl
Authority Information Access:
CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority
Signature Algorithm: sha1WithRSAEncryption
<CENSORED>
推荐答案
您发布的证书不是自签名的;发行人(DC=pri, DC=home, CN=home-HOMECA-CA)与主题(CN=DC01.home.pri)不同.
The certificate you posted is not self-signed; the issuer (DC=pri, DC=home, CN=home-HOMECA-CA) differs from the subject (CN=DC01.home.pri).
在验证证书时,OpenSSL无法找到用于验证签名的发行者(或在TLS握手期间从Web服务器接收的链中第一个证书的发行者)的本地证书.
When validating the certificate, OpenSSL is unable to find a local certificate for the issuer (or the issuer of the first certificate in the chain received from the web server during the TLS handshake) with which to verify the signature(s).
您需要向openssl verify提供 issuer 证书(或将其保存在您的信任库中):
You need to give openssl verify the issuer certificate (or have it in your trust store):
openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem
这篇关于无法OpenSSL验证SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
